Tag: soc

The educational highlight for 2013 was completing my Masters project and gaining my MSc in ‘Distributed Systems and Networks’.

I also managed to attend a few interesting conferences including Infosec, F5, and Information Security Forum. Relevant notes from these events were uploaded to this blog throughout the year.

My education fail for the year was not getting round to taking my TOGAF exam. This is one of those things that looks like it may be career useful, but I am not particularly passionate about. I have completed the course and worked in environments where it is applied, so understand the framework and how to use it, however getting motivated to do the exam has failed to reach the top of my to-do list. I’ll see how this year goes, 2014 may be the year I get round to it.

Work wise it was all change in 2013 as well with my move from Canada Life to WorldPay in January. One of the best moves I have made, Canada Life was a pleasant place to work, but the slowest and least dynamic company I have ever been in.. Some people are very happy there, but it wasn’t for me! WorldPay is considerably more dynamic and being a payment processor places a high value on doing things securely which makes my roles as a security architect very rewarding.

There are a lot of changes happening at WorldPay so watch this space for updates on my career and where it si heading. One way or another I’ll definitely be staying the in the security field, and very likely architecture.

Which brings us nicely onto 2014..

From a work project perspective this year is still very much up in the air, some projects I definitely know about include;

– New SIEM solution unifying the log correlation solution across the business,

– Supporting the design and creation of a new Security Operations Centre,

– Setting up various avenues to better integrate security with the wider business so we can communicate better with stake holders and customers,

– Several other things not yet ready for disclosure but I will update on what I can throughout the year.

One of my main plans for this year is to get more involved with the business as I am pretty good at staying abreast of security and the technical side of things, but don’t always have as much involvement and awareness of the business as I perhaps could / should.

As a starter for 10, given that my last three role have been in the financial sector I have recently started reading the economist which is surprisingly interesting. I have also picked up a couple of projects such as the one mentioned above around communicating better with the business to aid this in my current role as well wider industry awareness.

Other than that 2014 will include my graduation ceremony, some conferences, and likely some further study. Time permitting I may also submit speaking proposals to a couple of conferences, but this is very much a maybe.

I’ll also be working to implement some more of the tips from the Productivity Ninja to aid planning and organisation.

speed response time (speed with which attacks are detected, and then remediated once discovered)

Relatively new attack discovered / named last year – ‘Waterholing’ – sit by the waterhole knowing prey will come to them – malicious users take over a site, knowing their targets are likely to visit it and trust it – then wait for them to arrive – malware etc. then delivered to users of the site.

Massive % of security spend currently on prevention, not detection..

71% of organisations have some sort of SoC (wider survey 66%) most have plans to have one. The question did cover from just some analysts who do investigations right through full on SoC capabilities.

CIRCs can / should comprise the below 4 areas of responsibility. Note, a person can have multiple roles, doesn’t need to be 4 people or more for smaller organisation1 – 4 suggested Tiers / areas of responsibility

EMC example – 1046 employees received a clear phishing email about fake wire transfers, 17 clicked on the link, 2 even clicked on the are you sure warning from the EMC gateway! This sort of investigation should take minutes.. Does it for your organisation?

The maturity Journey – Control – Compliance – IT Risk – Business Risk

Your business needs to be moving from at least compliance to IT risk for levels 3 and 4 of the SoC to make sense.

Business, then IT risk SHOULD drive your security program and strategy. Compliance is a byproduct of good security.

MSSP (Managed Security Service Provider) – Make CIRC function more complete and affordable

What does it make sense to outsource from the CIRC functions?

Start with Tier 1, second most likely threat intelligence (as this can be somewhat stand alone, and an MSSP likely already has good contacts and threat intelligence they can share)

Tiers 3 and 4 can be, but these are harder and likely require in depth expertise and knowledge about the internal operation of the organisation.

RSA Security Analytics is designed to meet these needs. Well there had to be some product focus as it’s an RSA presentation..

My questions;

However, where does this fit into the overall business?

Can it be used by the wider business in order to offer a business wide solution to log management and analytics?

RSA response – Data is stored in Hadoop style storage so you can write tools to query it. But no there are no plans for them to provide any ops style dashboards and functionality that could be used by the wider IT team and the business. For me this is a massive gap given the current market for log correlation and analysis type tools. There is no way a business should want two of these solutions in place with logs shipped to both and all the associated licensing and management that goes with it. Having two tools also leads to a potential situation where all logs may not get to the security tool and therefore you’ll miss potential threats.

So back to the talk;

RSA Security Analytics provides both a combination of both real time and longer term analytical abilities;

real time example – analysing data on the wire for attacks and suspicious behaviour

longer term – log on from two different locations – analyse distance between locations and time between logons

Threat intelligence from feeds and incorporating business context.

Look at all the data, use intelligence to narrow it down to provide a low number of real and useful alerts.

Security analytics demo;

Has full data set, can drill down to specific IP addresses, and the behaviour between it and others, identifies hacker tools etc.

Integrates with RSA threat feed etc.

Identifies high risk file types, windows cli commands etc.

Keeps suspicious IP address list from top suspicious IP list.

Can make network data back into the real data – e.g. can view emails as the email with cc etc, can view text files and images this looks a bit like man in the middle stuff – recompiles the actual conversation / traffic.

Overall this was a useful talk with quite a few good points and outside of the demo relatively little product and marketing talk.

I am however very disappointed that RSA are intent on keeping Security Analytics 100% focussed on security only. It’s undoubtedly a good product in this space, but there are other products now that appear to offer similar levels of functionality in this space while also being genuinely good products across ops / application support / business users etc. and also being potentially more flexible and extensible. Take a look at both Splunk and LogRythm.

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate. There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business. Which systems are affected? Which business processes does this impact? What is the relative priority? This means the team needs to understand more than just vulnerability x and y and their generic severity rating. They must understand your business context and be able to effectively relate events to this. Tools can also help here in terms of event correlation and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements. The event must be related to these factors with an understanding of it’s impacts to your business. The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes. Any process that involves users of the companies system will likely be key attack vectors. Technology can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments. The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them. Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game. We need to work hard to keep up and keep them out or at least contained. A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

– Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

– Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus. We are becoming more and more porous or boundary-less.

– Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long. How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

– Information deluge – too much information

– Budget dilemma – so much hype and marketing, what do I spend limited budget on?

– Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

– Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today. Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like. Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions. This turns a passive system into an active one, largely using existing infrastructure. In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible. These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions. Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved. Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.